Hey, i want a page to be executed every hour which will reset some settings on my site. I've worked out how to do this with Cron and i've got that working. The only problem is, if a user gets lucky and finds out the filename of the script that is executed, they can reset the settings whenever they want.

I was wondering if some of you can give me some ideas to look at so that a user cannot open the script or which stops it executing when a user visits it.

mlseim

08-04-2007, 07:20 PM

First, give it a strange filename, like "cronjob487634.php"

Then, in the beginning of the script, look for a variable:

$test=$_GET['action'];
if($test === "go"){

the main part of your script

}

Your cronjob will provide that variable when it runs.
Nobody will be able to determine that a variable is needed.

cronjob487634.php?action=go

rafiki

08-04-2007, 07:29 PM

you could even make it harder and give the variable a strange name

if ($_GET['umpaloompa'] == nbioafjj) {
do something;
}else{
exit;
}

PappaJohn

08-04-2007, 09:09 PM

or just place the script above your document root.

jcsarmento

07-13-2009, 01:19 AM

Is this possible using $_POST instead of GET?

On my case I need to use $_POST but the cron does not submit the Post.
On firefox or any other browser no problem...

many thanks
jsarmento

Zangeel

07-13-2009, 01:29 AM

You can always check the referrer can't you? make sure the referrer is the crons. But if you can cron a file above the public html, that should work. I never really used crons so just throwin some ideas at ya.

mlseim

07-13-2009, 04:02 AM

jsarmento ...

Show us what you already have.
There is a way to use POST but I don't know if you'll figure out how
to incorporate my snippet ... that's why I want to see what you have so far.

Inigoesdr

07-13-2009, 04:10 AM

Assuming the php.ini setting "register_argc_argv" is off(which it is by default, for performance reasons), you can check to see if $argv is set. It will be set when run from the command line, and won't be set when loaded through the web server. But, ideally the file would be out of the web root, or in a directory with an .htaccess file that denies all requests.

You can always check the referrer can't you? make sure the referrer is the crons. But if you can cron a file above the public html, that should work. I never really used crons so just throwin some ideas at ya.

No, you absolutely can not trust the referrer. It is a header sent from the client, and can be easily manipulated.